The Case for Passphrases
Passphrases derive security from word count rather than character complexity. Four random common words (diceware method) produce about 51 bits of entropy, and five words reach about 64 bits. They're far easier to memorize than random character strings and significantly harder to type incorrectly. This makes them ideal for passwords that must be typed regularly, like master passwords.
The Case for Random Character Passwords
Character-based random passwords produce the highest entropy per character. A 16-character random ASCII password achieves over 100 bits of entropy — requiring fewer characters than a comparable passphrase. They're ideal for stored passwords where memorability doesn't matter and you just need maximum security in minimum characters.
When Passphrases Win
Passphrases are the superior choice for anything you must memorize and type regularly: your password manager master password, your computer login, your full-disk encryption passphrase. The memorability advantage is real and important. The key is that the words must be chosen randomly — not by association.
When Random Character Passwords Win
For everything stored in a password manager — which should be most of your passwords — random character strings are optimal. Memorability is irrelevant since the manager handles filling them in. You get maximum entropy in minimum length, which matters especially on sites with character count limits.
Use passphrases for secrets you must memorize (master password, disk encryption) and random character passwords for everything stored in your password manager. Both are strong when generated with true randomness.